[Pdx-pm] CPAN updates vs vendor updates

Eric Wilhelm scratchcomputing at gmail.com
Tue Aug 26 20:05:50 PDT 2008

# from Keith Lofstrom
# on Tuesday 26 August 2008 19:41:

>> Yes.  I'm not sure what sort of security enhancements you were
>> getting from the RPMs, but the main thing you notice when installing
>> directly from CPAN is that the latest and greatest is always assumed
>> to be stable. ...
>Shudder.  The usual distro updates are to fix exploitable security
>holes or repair disabling bugs, but to not add features or improve
>performance.  Some regression testing is implied.  I assume that
>some CPAN modules are barely tested and there is little preventing
>them from having more bugs and security holes than their predecessors;
>some may even be nonfunctional.

Well, you're assuming that your vendor has done extensive compatibility 
testing on all of the perl modules.

You can lookup a module's results on cpantesters.


Now, that only gives you the OK for all of the current states of the 
dependencies (as found on CPAN at the time of the test), but that tends 
to keep things in a working state for the case of "If I startup CPAN.pm 
on a fresh install, it will pass."

Of course, if redhat had added a critical security patch to a module 
without pushing the change upstream, you might get to be the sharp-eyed 
consumer who caught them out at it ;-)

"I've often gotten the feeling that the only people who have learned
from computer assisted instruction are the authors."
--Ben Schneiderman

More information about the Pdx-pm-list mailing list